Table of Contents | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Overview
Profiles and profile grants improve efficiency across the organization, they are the evolution of Business Roles. Activated profile grants can reduce the number of permissions to be reviewed in User Access Reviews. Profile grants also allow you to quickly onboard users, ensuring that they have appropriate permissions from the start. Profile grants have one of two levels, birthright or suggested, giving admins Profile Grants are designed to improve efficiency by allowing data owners to pre-approve user permissions based on users' attributes. They enable more streamlined and accurate user onboarding as well as reducing the volume of permissions that must be individually reviewed in access reviews. Profile grants can be either birthright or suggested level, giving administrators more control over which permissions are provisioned during onboarding. Both birthright and suggested profile grants can be used to pre-approve permissions in an access review.
Terminology
Profile: A collection of user demographic properties based on roles users defined by a combination of one or more attributes in your organization, for example such as Department=Engineering & Title=Engineer. A user may be associated with zero or more profiles, and there may also be a profile for All Users.
Profile grant: Mapping between A permission matching a profile and a permissionspecific profile definition like: Department=Engineering & Permission=Github Members. Grants will be recommended by Zilla based on a high percentage of profile users already having the permission. The application or permission owner may activate a recommended profile grant.
Birthright level: Birthright level indicates Indicates that all users in the profile should have the permission.
Suggested level: Suggested level indicates Indicates that all users in the profile may have the permission.
Profile grant states:
New - : Grants suggested by Zilla but not yet activated.
Activated - : Grants that are used for onboarding and access reviews.
Deactivated - : Grants that are no longer used.
...
Activate Grant - Makes profile grants eligible for onboarding and access reviews.
Deactivate Grant - Declined Deactivated grants will not be used for onboarding nor access reviews.
Reassign Approver - By default, the Technical permission owner or the Business Owner of the permission’s application is the approver of the profile grant. Reassignment can be to TBDany other owner (business, technical, additional) of the relevant application.
Edit Level - Zilla suggests Zilla’s suggestion of either birthright or recommended but this suggested can be manually overridden.
...
Generating Profiles
The Zilla administrator initiates profile generation. The Zilla uses machine learning to analyze the tenant’s data is analyzed to create recommend a collection of profiles each with a collection of one or more profile grants. Profile grants originate in the New state and must be activated before they can be used in an access review or for provisioning, they must be activated. By default, an application or permission owner is responsible for reviewing and activating profile grants, but Zilla admins can also activate.
See How to
...
After the initial profile generation, the administrator can re-generate profiles and specify the scope in terms of the population and which demographic values to use. The user demographic fields that are available to choose from are based on this particular tenant's collected user metadata. In order to be included, the field must be collected and populated. They may change the system defaults regarding minimum quality and population of profiles.
...
TBD: How-to video? Or a step-by-step?
New Profiles
...
Generate Profiles for a step-by-step guide.
Reviewing New Profiles
When Profile generation completes, the profiles will be presented in a table on the Profiles page along with summary information. See below for details.
...
(1) Profiles grants can be viewed in several different ways: By Profile, By Application, List.
(2) Active User Permissions displays : Displays the count of permissions across all accessible applications that are mapped to active users.
(3) Total Grants displayed : Displays the total number of grants by state. See state definitions in Terminology.
(4) Total Profiles shows : Shows the average number of profile grants per profile and the number of applications with profiles.
(5) Table 6) Search and Filter provides the ability to search the profiles and filter by Profile and Last Updated.
(5) The Profile table includes the following columns:
Profile - : User attributes shared by a population of users.
Users - : Number of users matching the profile.
New/Notified/Active Grants - : Number of profile grants within the profile by state.
Last Updated - : Displays when this profile grant’s status was last updated.
Actions - : Click
View
to see a list of grants for the profile to take an action. See actions definitions in Terminology.
Activating New Profile Grants
(6) Search and Filter provides the ability to search the profiles and filter by Profile and Last UpdatedBefore a profile grant can be used by the Zilla application in either onboarding or user access reviews, it needs to be activated. Activation is the responsibility of the Application’s Technical Owner (by default) but any admin can also activate a profile grant.
See How to Activate Profile Grants for a step-by-step guide.
Changing the Level of Profile Grants
Make sure the Level of the profile grants meets the needs of the organization. Both birthright and suggested levels are pre-approved for access reviews and provisioning. The difference between the two is seen with provisioning. Birthright level permissions can all be assigned together in a policy action but suggested level permissions need to be requested separately. Level accuracy is the responsibility of the Application’s Technical Owner (by default) but any admin can also activate a profile grant.
See How to Change the Level of a Profile Grant for a step-by-step guide.
Customizing Profile Generation
After the initial profile generation, the administrator can re-generate profiles at any time and specify the scope in terms of the population and which demographic values to use. The user demographic fields available to choose from are based on the tenant's collected user metadata. In order to be included, the field must be collected and populated. The administrator can also change the system defaults regarding minimum quality and population of profiles.
See How to Customize Profile Generation for a step-by-step guide.
TBD - reference documentation for using Profiles in an Access Review as well as Provisioning.
Taking Action on Profile Grants in Batches
In addition to taking action on individual profile grants, Zilla provides the ability to take action on a filtered set of profile grants. Users can activate grants, deactivate grants, reassign approvers and edit the level for the set of profile grants.
See How to Take Action on Profile Grants in Batches for a step-by-step guide.